Re: towards a taxonomy of Information Assurance (IA)

[Mark Curphey <mark () curphey com>]

In the webappsec world some interesting work is taking place under the WAS project at OASIS (www.oasis-open.org). 
Essentially we are creating an XML schema to describe web security issues in a standard way and produce a thesaurus of 
grouped issues leveraging that schema. This is part of a bigger project extending the original Vuln-XML work at OWASP 
to provide a language from which to describe test cases for these issues to be used in scanning tools. The 
classification scheme / thesaurus helps in providing some common language from which to group high level issues.

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was

There is also work on more general info sec classification at www.dmtf.org that you may want to take a look at. Of all 
the work I have seen and having run through the issue with some very bright people on the WAS Technical Commitee, I 
think the conclusion if that strict classification schemes are very hard, but thesaurus's are a practical.


---- Abe Usher <abe.usher () sharp-ideas net> wrote:
> Fellow Information Security Professionals,
>
> Bottom line: I'd like your help in shaping a usable taxonomy of 
> Information Assurance.*
>
> This taxonomy is part of my graduate studies, and will not be used for 
> any commercial purposes.  It will remain an "open source" open project.
>
> I am presently working on creating a taxonomy of information assurance, 
> based on the three aspects of:
> (1) Information characteristics
> (2) Information states
> (3) Security countermeasures
>
> These three aspects of Information Assurance (IA) were highlighted by 
> John McCumber [1] as well as a team of West Point researchers [2] as a 
> component of works that define an integrated approach to security.  I 
> have also considered the works of Matt Bishop [3] in how to create a 
> useful taxonomy.
>
> Within the next 6 months, I would like to create a taxonomy that 
> graphically depicts the relationships of these three aspects.  I will 
> use an "open source" model whereby all of my findings & results will be 
> posted for public review and revision.
>
> My intent is that this taxonomy could be used by the academic community, 
> industry, and government in improving the precision of communication 
> used in discussing information assurance/security topics.
>
> I have searched the Internet widely for a taxonomy of Information 
> Assurance, but I have not found anything that is sufficiently detailed 
> for application with real world problems.
>
> I've posted my initial results to the following URL:
>
> http://www.sharp-ideas.net/ia/information_assurance.htm
>
> for comments and peer review.
>
> Cheers,
>
> Abe Usher
> abe.usher () sharp-ideas net
>
>
> * Information assurance is defined as "information operations that 
> protect and defend information and information systems by ensuring their 
> availability, integrity, authentication, confidentiality, and 
> non-repudiation.  This includes providing for restoration of information 
> systems by incorporating protection, detection, and reaction capabilities.
>
> [1] McCumber, John.  "Information Systems Security: A Comprehensive 
> Model".  Proceedings 14th National Computer Security Conference.  
> National Institute of Standards and Technology.  Baltimore, MD.  October 
> 1991.
>
> [2] Maconachy, Victor, Corey Schou, Daniel Ragsdale, and Don Welch. "A 
> Model for Information Assurance: An Integrated Approach".  Proceedings 
> of the 2001 IEEE Workshop on Information Assurance and Security.  U.S. 
> Military Academy.  West Point, NY.  June 2001.
>
> [3] Bishop, Matt.  "A Critical Analysis of Vulnerability Taxonomies".  
> Department of Computer Science, University of California. Davis, CA.  
> September 1996.